We are offering a one day course on Exercise Design and Delivery which will focus on Engaging with Risks and Making Exercises Real. This course is suitable for anyone who has a responsibility for exercises whether an Emergency, Continuity or Risk professional or who wants to understand how to get the best out of exercises for training and testing.

This article was published in NSAI EZine May 2015

ISO 31000 Risk Management Standard

ISO 31000 is a relatively new International Standard that after four years of development was published in November 2009. It provides generic guidelines for the principles and the adequate implementation of risk management. The standard is now undergoing a typical revision as is the case for most ISO standards. So it is a good time to reflect on the main elements of the standards and what it means to a variety of organisations.

The revisions are at this point likely to be technical in nature and should see an improvement on the first draft in terms of clarity. In this Article, we introduce ISO 31000 and answer some of the questions you might have about the new standard.

What is ISO 31000?

ISO 31000 is an International Standard that seeks to provide organisations with guidelines for the principles and the adequate implementation of risk management.

Is ISO 31000 mandatory?

ISO 31000 is not mandatory and as an International Standard describes voluntary risk management principles and guidelines for the implementation of risk management. Adopting a generic approach, the standard allows the unique needs of a specific organisation (e.g. objectives, context, structure, projects, products, services, etc....) to influence the design and implementation of risk management.

My Organisation is already compliant with an existing good practice standard.What does this mean for us?

The chances are if you are fully compliant with an existing code or standard, your organisation will have achieved many of the requirements outlined in ISO 31000. However, there may be additional elements that need to be in place or further emphasis/ focus placed on particular areas before you are able to meet the full requirements of the new International Standard. Many other codes e.g. COSO are also being revised.

Where so many of the efforts to unify the global view of risk management have fallen short, the ISO standard is expected to succeed. By simplifying complex concepts and in coupling the framework with the process and principles of cross-organizational risk management efforts, the Standard is likely to subsume most, if not all, of the existing independent and national risk management standards. To that end, the Standard will provide organizations with a tool to adhere to best practice and, if implemented, will provide a platform for developing effective management of risk.

What are the benefits of formally addressing risk management through ISO 31000 compared to other risk management standards?

ISO 31000 has been written and developed by an ISO International Technical Committee, representing risk management experts throughout the world. As a concise and comprehensive statement of good risk management practice ISO 31000 will likely supplement or replace a variety of independent and national risk management standards – the risk management standards Australia New Zealand standard AS/NZS 4360 and COSO have both agreed to conform with ISO 31000. For example in Ireland the Department of Finance guidelines reference the AS/NZS 4360 which has since been retired in favour of 31000.

De facto this means that all public sector organisations in Ireland should be following the 31000 standard. ISO 31000 therefore provides organisations with a tool for following good practice and, if implemented, will provide a platform for developing effective management of risk.

Who will be affected and how?

Whilst every organisation will have its own unique risk footprint and its own risk management challenges, ISO 31000 has been developed so that it is generic and not specific to any industry or sector. The International Standard can be applied to large, medium and small enterprises, whether public or private, as well as to a wide range of activities, decisions and operations. ISO 31000 is not a legal requirement and there will be no immediate obligation for organisations to take any action.

However, we would recommend clients become familiar with the standard and, as a minimum, compare their existing risk management framework with the standard. Clients may also experience pressure from stakeholders, such as customers, to demonstrate that they have in place proactive and formal risk management.

My organisation has been practising risk management for several years. Does the advent of ISO 31000 mean we need to start again?

No, ISO 31000 is only a guide and its application needs to be tailored to your specific needs. Every organisation will have its own level of risk management maturity and therefore will be affected differently by the new International Standard. It would be worth using the standard as a sense check to ensure you continually review your risk management approach against best practice.

Do I need certification?

No definitely not, this is a voluntary standard and although certification may come into play with some organisations into the future no such requirement exists at present.

Does ISO 31000 provide details on how I go about Risk Assessment?

Other than in a general approach, no. A complementary standard deals specifically with risk assessment i.e. IEC 31010. This standard which is currently being revised gives us an insight into the myriad of assessment methods and at that is far from exhaustive.

Further InformationThe author of this article Sean Coleman is part of the NSAI Risk Management committee and was a co author of the national guidance. Sean has worked with a variety of public and private sector organisations and offers a range of training courses on the subject of Risk Management and ISO 31000 in particular. For further information is available on www.colemanrisk.ie

Serious flaws in the system intended to prevent fire risk were highlighted recently at the Priory Hall apartment development and by fires and incidents at other locations. This prompts risk management consultant Sean Coleman to ask: do we need to update our fire safety laws?

There have been considerable changes in UK fire safety law, in particular the Regulatory Reform (Fire Safety) Order 2005, replaced most fire safety legislation with one simple order, but little has changed here.

Now any person who has some level of control in premises must take reasonable steps to reduce the risk from fire and make sure people can safely escape if there is a fire. In the UK much attention has been given to a number of tragedies. These include the Lakanal House social housing fire in 2009 in which six people died; the fire in 2004 at the Rosepark residential care home in Lanarkshire, which resulted in the deaths of 14 elderly residents; and the explosion at ICL Plastics in Glasgow in 2004, in which nine people were killed (see HSR September 2009).

IRISH FIRE SAFETY LAW

The law concerning fire safety in Ireland has evolved over many years. It initially applied to industrial and not to commercial premises, but following the Stardust nightclub tragedy, a new law, the Fire Services Act, was introduced in 1981. The Act was designed to apply to places of public assembly and not industrial premises. The Act focused on fire safety management rather than design.

It was not until the General Application Regulations 2007 that the Fire Services Act applied to all premises, bringing a common approach to all sectors and repealing the need for a certificate of means of escape of industrial premises. From the design perspective, it was not until 1992 that the Building Regulations were ratified, replacing draft regulations.

A series of fire guides were issued by the Department of Environment for places of public assembly. No such guides exist for factories.

In the meantime there has been a whole raft of guidance issued in the UK. Of particular note are the Fire Risk Assessment guides, free to download at www.communities.gov.uk/fire. Under the Regulatory Reform (Fire Safety) Order in the UK, each premises must produce a fire risk assessment. No such law applies here but there is the more general requirement to carry out risk assessment and record significant findings.

The 2014 Regulations are intended to work in tandem with a Code of Practice for Inspecting and Certifying Buildings and Works,which will inform the assigned certifier, builder, design certifier and other parties, how to manage their respective roles, including the preparation of an inspection plan, carrying out inspections and ultimately certifying the works.

The final approved version of the Code was made available at the end of the first week in February 2014. Interestingly, there is no mention of fire specialists, only ancillary certifiers who will support the view of the assigned certifier.

I am not convinced that we should go down the UK way, as the standard of self-assessment is at least questionable. What I think is needed in both jurisdictions is a regime of checking, inspection and auditing, with subsequent action against those who do not comply. If designers, owners, developers and contractors know there is a serious regime of compliance monitoring, then they will more likely do the right thing in the first place.

Look at the HIQA example in the health sector, which has certainly cast a whole new light on standards. We have also greatly improved road safety through serious efforts on driver behaviour. Do we seriously think we would have improved without speed cameras, penalty points and random breath tests

I do not think we need a whole raft of new legislation and guides. We should pretty much follow the guides developed in the UK. What we need is enforcement through inspection, followed by action. This will drive the right behaviour.

I have seen cases where the design details submitted with a fire certificate application are far from what is actually built. At the Priory Hall development, dwellers had to leave their homes when the extent of the flaws became apparent several years after construction. As well as numerous build quality issues, the lack of fire-stopping forced residents to leave their homes in 2011 on safety grounds, never to return.

So must we wait for the inadequacies in fire safety to visit us again in the form of a tragedy before we act? We need a series of random inspections before handover and subsequent inspections in the course of a building’s lifetime. Such a system could be risk-based, with priority given to the higher exposures.

The new Code concerning certification suffers from a simple flaw. It is the developer or builder or owner who will pay the certifier. It is still a version of self-certification. Self-audit does not work in risk management practice, unless backed up by external audit. There is however the advantage that in the new system, certification relates to the finished article and involves all parties.

Two major problems remain:

§What about all the properties already built: how will the shortcomings be addressed?

§How will the fire risk management of the existing and new built stock be addressed?

CHECK

Next time you visit a hotel, hospital, school or even an underground car park, look out for the wedged fire doors, blocked exits and inadequate signage. Then ask who rings the fire brigade, where is the assembly point, how long before we investigate the alarm activation and before we ring the brigade? Where is the nearest hydrant? When was it last tested, if ever? Where is that extinguisher? Well of course, there it is serving its usual purpose holding open the fire door. What about that underground gas pipeline? Is it in good condition

It’s a simple enough theory that if there are several problems, then a major loss is far more probable. The motivation is not obvious to many because of the relatively low frequency of serious fires. However the impact can be severe. Look up Lakanal house and ICL Plastics, Glasgow (2004): click on the following link,

Does it ever occur to us that in order for something to work, there has to be feedback: especially something where frequency is low? That something in this case is either good fire safety design and subsequent management, or that which we all fear: a nasty fire .So let’s have feedback from inspections and audits and not fires.

(Sean Coleman is founder and senior risk consultant with Coleman Risk Consulting. He has worked in the risk management field for more than 30 years, starting his career as a fire surveyor with Cigna Insurance Company in 1982. He is a member of NSAI standards committees. He can be contacted at sean@colemanrisk.ie. website www.colemanrisk.ie.)

(Viewpoint is an occasional column in HSR, in which readers can offer their opinion on issues. The opinions offered are those of the writer only. Readers are invited to respond. Any readers wishing to submit an article for the Viewpoint column should contact the editor, Herbert Mulligan, either by phoning 01-6671152 begin_of_the_skype_highlighting01-6671152 FREE end_of_the_skype_highlighting or emailing hmulligan@irn.ie)